Trustwave Blog

Perspective:

How to Confront Malware That Refuses to Be Found (VIDEO)

First, a question: If the client-side malware that is raiding your network is not really malware, did it ever exist in the first place? If you're puzzled by my desire to open with a silly philosophical thought experiment, you can thank the substantial uptick in so-called "non-malware" attacks.

Also known as fileless malware (and memory-based or living-off-the-land attacks), the tactics used in these assaults were once solely the domain of nation-state actors, but are now becoming more common in profit-driven campaigns. They are designed to sidestep traditional anti-virus and endpoint security detection with such dexterity that organizations are essentially in the dark that anything harmful is happening.

How do they work? Attackers generally turn to legitimate admin, remote access and penetration tools that are already trusted in the client's operating system environment to perform the dirty work for them. These tools, such as PowerShell or Metasploit, subtly deposit malicious code into the computer's memory, with the malware never needing to execute on the hard drive and face the prospect of detection or forensic review. (Our partner Carbon Black has a good explainer on these attacks).

As for what organizations can do, there is no silver-bullet answer. But it requires a multipronged approach of user education, threat detection with 24/7 monitoring and alerting, remote incident investigation and response and proactive threat hunting.

More specifically, we previously offered advice to help combat attacks perpetrated by the Carbanak cybercrime gang, which has a stunning track record of effortlessly modifying its code and avoiding detection. Many of those recommendations - which are also contained below - will help you not just resist Carbanak, but other similar difficult-to-detect-and-trace malware attacks.

(As a side note, you may lack the internal expertise and resources to accomplish this guidance on your own. If that is the case, we encourage you to consider partnering with a managed security services provider, which can help elevate your strategy).

Conduct regular security awareness training for employees, with a focus on spear phishing.

Conduct mock spear phishing exercises through which employees are sent an email that points to a site controlled by the IT department.

Use an email server or appliance that can assist with malware detection, such as scanning incoming email attachments for Base64, which is used to hide malware.

Disable Macros by default on all Office applications (although a user can still re-enable them).

Deploy a SIEM solution or other log-and-event aggregation system that allows aggregated network traffic to be examined by an expert security team before, during and after an attack.

Ensure intrusion detection rules can detect Metasploit modules.

Rely on threat intelligence-driven software restriction policies, such as preventing program execution from C:\Windows\Temp.

Whitelist PowerShell and VBS scripts used by your organization - and blacklist all others.

Restrict DNS traffic so that internal systems are only able to query your DNS servers.

Watch the "Trustwave Talks" video below as Brian Hussey addresses Carbanak and other sophisticated malware campaigns that emerged or continued last year, including point-of-sale attacks - all of which were addressed in the 2017 Trustwave Global Security Report.